[Snort-sigs] I have a question to ask

陳建宏 chanhung at ...3220...
Wed May 10 23:28:02 EDT 2006

Dear all mailing list members:

                  I study in Cheng Kung University that located in Taiwan. I want to research snort rules about rules classification and have two questions to ask for advice. 

1. I look up snort rules that have a file named classification.conf, and it has thirty four class-types. I classify them into five types that I named by myself but I do not confirm that thirty four class-types mapping to five types are correct. Five types are exploration, break in, escalation, DOS and error message and those types are needed to me. Could you give me some advices that which type is located a wrong position (eg. “kickass-porn” is not exploration and it is another type). 

 2. The other question is that there are 1 to 4 original priorities in the “classification.config” ,but I want to classify these class-types such as 1 ~ 6 levels. How can I classify priorities more in detail ? Or which documents can I research in ?

           Extremely thx for your help.    Erci Chen 


1.      exploration:

       Someone wants to explore weakness or just scan the host to get some information.

2.      break in:

       Attacker uses some tools or techniques to break in victim host.

3.      escalation:

       If attacker get into the victim host whether breaks in or not, he can modify some contents,limits of authority or control this victim host to attack another host.

4.      DOS:

       All of denial of services.

5.      error message

       Some unknown,bad or not-suspicious traffic

        1. exploration

Original  Classtype:                 Original priority 

kickass-porn                                   1

   web-application-attack                     1 

attempted-recon                              2 

rpc-portmap-decode                       2 

successful-recon-largescale              2 

successful-recon-limited                   2 

network-scan                                   3 

protocol-command-decode              3

2. break in

policy-violation                                     1

default-login-attempt                             2

misc-attack                                           2

suspicious-login                                     2

3. escalation

attempted-admin                                   1

shellcode-detect                                    1

unsuccessful-user                                   1

successful-admin                                    1

trojan-activity                                        1

attempted-user                                      1

successful-user                                      1

unusual-client-port-connection               2

system-call-detect                                 2

web-application-activity                        2

string-detect                                          3

misc-activity                                          3


   4. DOS

attempted-dos                                      2

denial-of-service                                   2

successful-dos                                      2

   5. error message

non-standard-protocol                          2

bad-unknown                                       2

suspicious-filename-detect                    2

not-suspicious                                      3

unknown                                              3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060510/2e415a19/attachment.html>

More information about the Snort-sigs mailing list